From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/lib/Roundcube/rcube_spellchecker.php | 22 +++++++++-------------
1 files changed, 9 insertions(+), 13 deletions(-)
diff --git a/program/lib/Roundcube/rcube_spellchecker.php b/program/lib/Roundcube/rcube_spellchecker.php
index 30d15d7..bf29e49 100644
--- a/program/lib/Roundcube/rcube_spellchecker.php
+++ b/program/lib/Roundcube/rcube_spellchecker.php
@@ -2,8 +2,6 @@
/*
+-----------------------------------------------------------------------+
- | program/include/rcube_spellchecker.php |
- | |
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2011, Kolab Systems AG |
| Copyright (C) 2008-2011, The Roundcube Dev Team |
@@ -14,13 +12,11 @@
| |
| PURPOSE: |
| Spellchecking using different backends |
- | |
+-----------------------------------------------------------------------+
| Author: Aleksander Machniak <machniak@kolabsys.com> |
| Author: Thomas Bruederli <roundcube@gmail.com> |
+-----------------------------------------------------------------------+
*/
-
/**
* Helper class for spellchecking with Googielspell and PSpell support.
@@ -35,7 +31,7 @@
private $lang;
private $rc;
private $error;
- private $separator = '/[\s\r\n\t\(\)\/\[\]{}<>\\"]+|[:;?!,\.]([^\w]|$)/';
+ private $separator = '/[\s\r\n\t\(\)\/\[\]{}<>\\"]+|[:;?!,\.](?=\W|$)/';
private $options = array();
private $dict;
private $have_dict;
@@ -150,7 +146,7 @@
function get_xml()
{
// send output
- $out = '<?xml version="1.0" encoding="'.RCMAIL_CHARSET.'"?><spellresult charschecked="'.mb_strlen($this->content).'">';
+ $out = '<?xml version="1.0" encoding="'.RCUBE_CHARSET.'"?><spellresult charschecked="'.mb_strlen($this->content).'">';
foreach ($this->matches as $item) {
$out .= '<c o="'.$item[1].'" l="'.$item[2].'">';
@@ -178,7 +174,7 @@
$word = $item[0];
}
else {
- $word = mb_substr($this->content, $item[1], $item[2], RCMAIL_CHARSET);
+ $word = mb_substr($this->content, $item[1], $item[2], RCUBE_CHARSET);
}
$result[$word] = is_array($item[4]) ? implode("\t", $item[4]) : $item[4];
}
@@ -326,7 +322,7 @@
return;
}
- $this->plink = pspell_new($this->lang, null, null, RCMAIL_CHARSET, PSPELL_FAST);
+ $this->plink = pspell_new($this->lang, null, null, RCUBE_CHARSET, PSPELL_FAST);
}
if (!$this->plink) {
@@ -358,7 +354,7 @@
$gtext = '<?xml version="1.0" encoding="utf-8" ?>'
.'<spellrequest textalreadyclipped="0" ignoredups="0" ignoredigits="1" ignoreallcaps="1">'
- .'<text>' . $gtext . '</text>'
+ .'<text>' . htmlspecialchars($gtext) . '</text>'
.'</spellrequest>';
$store = '';
@@ -387,7 +383,7 @@
|| !empty($this->options['ignore_caps']) || !empty($this->options['dictionary'])
) {
foreach ($matches as $idx => $m) {
- $word = mb_substr($text, $m[1], $m[2], RCMAIL_CHARSET);
+ $word = mb_substr($text, $m[1], $m[2], RCUBE_CHARSET);
// skip exceptions
if ($this->is_exception($word)) {
unset($matches[$idx]);
@@ -416,7 +412,7 @@
$result = array();
foreach ($matches as $m) {
- $result[] = mb_substr($text, $m[1], $m[2], RCMAIL_CHARSET);
+ $result[] = mb_substr($text, $m[1], $m[2], RCUBE_CHARSET);
}
return $result;
@@ -447,7 +443,7 @@
private function html2text($text)
{
- $h2t = new html2text($text, false, true, 0);
+ $h2t = new rcube_html2text($text, false, true, 0);
return $h2t->get_text();
}
@@ -592,7 +588,7 @@
if (empty($plugin['abort'])) {
$dict = array();
- $this->rc->db->query(
+ $sql_result = $this->rc->db->query(
"SELECT data FROM ".$this->rc->db->table_name('dictionary')
." WHERE user_id ". ($plugin['userid'] ? "= ".$this->rc->db->quote($plugin['userid']) : "IS NULL")
." AND " . $this->rc->db->quoteIdentifier('language') . " = ?",
--
Gitblit v1.9.1